-
-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extended trace function #9
base: master
Are you sure you want to change the base?
Conversation
I like the idea in principle, but I'm not sure if the proposed API is the right tool for the job. I need to think about it. Is the code that uses the new API available? That would help me understand what's actually needed.
Timing and other side-channels are not fully deterministic. How did you address this? |
Hi, thanks for the response! The code using the API is here: Its a prototype version for simple blackbox APDU fuzzing for smart cards. I've tested it and it works well - AFL is able to find interesting inputs. We were also able to partially recover payload structure for some commands. The published version uses only The idea is to use this I think the higher level abstraction is highly application dependent thus it is a bit complicated to design a robust API on We were using Thanks for considering the PR. |
How about #10? I think it's closer to what you need. :-)
Hmm, do you have an example when FNV misbehaves? |
Hmm, the direct access to the trace map is nice, maybe for further work. But for now, we are fine with the current API as I have it implemented in my fork. The wrapping methods provide simple memory protection (modulo mem size I could remove Regarding FNV, try the following. All have the same hash: afl.hash32(bytes([0,1]))
afl.hash32(bytes([0,2]))
afl.hash32(bytes([0,255]))
afl.hash32(bytes([0,255,255,255]))
# 2166136261 From the first occurrence of zero-byte in the buffer the hash will be the same. afl.hash32(bytes([1,1,0,1]))
afl.hash32(bytes([1,1,0,2]))
# 3967033079 |
And yes, FNV is OK for the original usage as the file name cannot contain zero byte and the offset computation XORs the whole offset in the first iteration thus it seems OK. |
- add result from remote service to the SHM trace bitmat
Relevant thread on afl-users: |
Hi!
Thanks for this nice AFL python binding!
I needed a few changes so here is my PR. Motivation is we need to fuzz smartcards with AFL with some instrumentation enabled. As smartcard is a blackbox for us we cannot use neither classical AFL nor python
sys.settrace
instrumentation.On the other hand, after the card responds we can somehow recover some information from the run. Naive sources are: return code, return data, timing of the operation. Later some other side channels can be added (e.g., powertraces - working on that right now). The point is we need to add some more info to the shared memory bitmap after fuzzed input is processed.
For that we added a few new methods to the
python-afl
so we can manually do something likePls take a look at the changes and reconsider merging.
Thanks!